Connect Outlook 2003 to Exchange 2003 using RPC over HTTPConnect Outlook 2003 to Exchange 2003 using RPC over HTTP

Published: October 2003(last updated December 2003)

In this article I will describe how you use the new RPC over HTTP functionality,
which makes it possible to connect an Outlook 2003 client to your Exchange 2003
server over the Internet, without the use of a traditional VPN connection.

Overview of the Technology

Well before I start concentrating on the configuration part, lets look a bit
at the technology behind the RPC over HTTP functionality. As most Exchange Admins
are aware of the Outlook client, as we know it normally communicates with the
Exchange server with the help of MAPI calls, which are send via RPC’s
- Remote Procedure Calls. This is still true with RPC over HTTP, but what the
RPC over HTTP functionality does, is it puts an HTTP wrapper around the traffic.
This makes it possible for the Outlook clients to communicate with the Exchange
2003 server even though they aren’t connected to the local network.

The nice thing about the RPC over HTTP functionality, besides the users get
full Outlook access, is you only have to open one port in the firewall, typically
port 443 (SSL), just like with OWA – Outlook Web Access. You could of
course make use of a VPN connection, but the Outlook client has never worked
well through VPN connections.

Requirements

I will start by mentioning the requirements in order to get RPC over HTTP working.

Client(s)
The client(s) should be running Windows XP with at least Service Pack 1, you
will as well need to install the patch mentioned in MS
KB 331320. Note the patch will be included in Windows XP Service Pack 2,
which should be out within first half of 2004.

Server(s)
The exchange server needs to be running Windows 2003 and Exchange 2003, all
other servers which need to communicate with the client, that means DC’s
- Domain Controllers, GC - Global Catalog servers etc. needs to be running Windows
2003. It’s not a requirement running Exchange in a Front-End/Back-End
topoligy, as many believe, actually you could get by running everything from
a single server. But depending on your environment, Microsoft recommends you
make use of a Front-End/Back-End scenario, and if possible placed behind an
ISA 2000 server.

You will also need to have a Microsoft Certificate Authority (CA) installed
, this should be used to issue the respective certificates needed in order to
have SSL/443 working properly. You could as well go the easy way and get the
certificate from a certificate provider like Verisign
or Thawte.

Note: Installation of a Microsoft Certificate Authority (CA)
is beyond the scope of this article, but you should be able to find a few articles
describing the procedure by doing a search on Google.

Configuring the Server(s)

Well lets move straight ahead and get the server(s) configured.

I will use a scenario existing of an Exchange 2003 server and a Windows 2003
DC, the Exchange server will be acting as the RPC Proxy Server.

First we will need to install the RPC Proxy Service on the Exchange server,
so logon to it and do the following:

Note: If you had several other servers (could be additionel
Exchange & Global Catolog servers), which the Outlook client needed to communicate
with, you would have to add these to above string as well.

Now close the registry editor then open the IIS Manager and
do the following:

- Click Yes in the warning popup box (as we already have enabled
SSL)
- Click Ok twice and close the IIS Manager

Now we need to logon to the Global Catalog server (which would be the
Domain Controller), here we need to add a string to the registry as well, so
navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

- Then click Edit in the menu > New then
click Multi-String Value- Name it NSPI interface protocol sequences- Right-click the NSPI interface protocol sequences multi-string
value, and then click Modify- Type ncacn_http:6004 in the value box

Now restart the Global Catalog Server.

That was it for the Servers part, let move on to the Outlook RPC over HTTP
profile configuration.

Configuring the Client

To configure a RPC over HTTP profile on the client do the following:

- Open the Control Panel | Double-click Mail
- Click Show Profiles

- Click Add…

Give the profile a name and click Ok

- Click Next and set bullet in Microsoft Exchange
Server

Now you should type in your Fully Qualified Domain Name, this
should be the same as the one used on your SSL certificate.

Set a checkmark in Use Cached Exchange Mode, type in your username,
but don’t hit Check Name yet, instead click More
Settings…

Type in your FQDN (still the same as on your SSL certificate)
in Use this url to connect to my proxy server for Exchange:

Put a checkmark in Mutually authenticate session when connecting with
SSL Principal name for proxy server:

Then type:

MSSTD:FQDN (again FQDN should be the same as on the SSL certificate)

It’s also recommended you set a checkmark in both:

On fast networks, connect using HTTP first, then TCP/IP and

On slow networks, connect using HTTP first, then connect using TCP/IP

At last but not least make sure you have chosen Basic Authentication
under Proxy authentication settings

- Click Ok | Ok | Next |
Finish

You’re finished !

You should now be able to connect to your Exchange Server from anywhere over
the Internet. Be aware when you start up your Outlook client, you will be asked
for user credentials.

To see if you’re actually connected to your Exchange server using RPC
over HTTP, you can rightclick the Outlook icon in systray, while holding down
CTRL, you will then have the option of choosing Connection
Status. Here you can see if your connected, and if yes what connection
type is used.

Final words

Even though the RPC over HTTP functionality requires quite some configuration
both on the client and in the server end, it's hard to give it the thumb down.
When first you're up and running you will find it a true pleasure not having
to establish a VPN connection and/or be limited by the Outlook Web Access (OWA).
I have by the way heard from MS sources, that a script for automatically configuring
the servers for RPC over HTTP functionality will be released as a part of the
Windows 2003 Server Service Pack 1.

Disclaimer: Your use of the information
contained in these pages is at your sole risk. All information
on these pages is provided "as is", without any warranty,
whether express or implied, of its accuracy, completeness,
fitness for a particular purpose, title or non-infringement, and
none of the third-party products or information mentioned in the
work are authored, recommended, supported or guaranteed by
Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages
you may sustain by using this information, whether direct,
indirect, special, incidental or consequential, even if it has
been advised of the possibility of such damages.